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(54) Method and apparatus for mutual authentication according to the challenge/response 
principle 



(57) A supplier device 70 which supplies title data is 
equipped with a encryption module 74 for performing an 
encryption which is substitutive in nature and the user 
device 90 which uses the title data is equipped with a 
decryption module 93 for performing a decryption which 



corresponds to the encryption. The supplier device 70 
uses this encryption module 74 to prove its own author- 
ization and authenticate other devices. Similarly, the us- 
er device 90 uses this decryption module 93 to prove its 
own authorization and authenticate other devices. 
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system standardized using International Organization 
for Standardi7ation/ International Electrotechnical Com- 
mission (ISO/I EC) 9789-2. 

Fig. 2 shows the communication sequence per- 
5 formed when an authorized supplier device 1 5 transmits 
a copy of a title in its possession to an authorized user 
device according to the above conventional technique. 
Here, steps S21 to S33 in the drawing correspond to the 
authentication step described above, with steps S34 to 
10 S36 corresponding to the aforementioned secret com- 
munication step. Each of these steps in the drawing are 
described in more detail below. 



1 

Description 

BACKGROUND OF THE INVENTION 

1 . Field of the Invention 

The present invention relates to communication de- 
vices which authenticate each other using encryption 
before performing data communication. 

2. Description of the Prior Art 

When performing data communication, there are 
many instances when it is necessary to take protective 
measures against unauthorized copying or alteration of 
data. T 

In the example shown in Fig. 1, this relates to the 
optical disc reproduction device 10 reading a title such 
as a movie from the optical disc 13 and distributing a 
copy of the title via the network 1 V tQ.only. the authorized 
movie reproduction device 1 2 ; at the same time prevent- 
ing eavesdropping by unauthorized movie reproduction 
device 14. 

Secret communication where two-way authentica- 
tion is performed in- "Challenge Response" format pro- 
vides one method where data communication is' restrict-, 
ed to the supply of data from communication devices 
which have the authority to distribute data (hereinafter 
referred to as supplier devices) to communication de- 
vices which are authorized to receive the data (herein- 
after referred to as-authorized user devices), with other 
communication devices being excluded from the com- 
munication The procedure for this kind of communica- 
tion can be broadly divided into the following two steps. 

1. Authentication Step • " 

Before executing data communication, both devic- 
es verify that the device with which they are in contact • 
is an authorized device. This is performed to prevent un- 
authorized communication devices from becoming an 
authorized supplier device or an authorized user device. 

This confirmation is performed' using -encryption 
and consists of three main procedures. First, a first de- 
vice transmits challenge data to the second device. The 
second device then proves its authorization for this chal- 
lenge data and replies using response data. Finally, the 
first device verifies this response data. 

2. Secret Communication Step 

Secret communication of the object data is only per- 
formed when the authentication has been achieved in 
the previous step. This is to prevent eavesdropping dur- 
ing data transfer by third communication device. An ex- 
ample of a conventional technique for performing secret 
communication with two-way authentication performed * 
in "Challenge Response" format is a communication 



Steps S21, S22 

15 

First, the authorized supplier device 15 generates 
a random number R1 and transmits it to the authorized 
• user device 16 as challenge data. CHAT. 

20 Steps S23, S24 - 

On receiving the challenge data.CHAI , the author- 
ized user device 1 6 generates a random number R2 as 
challenge data for the supplier device 15 : and links 
25* tho?n two as the data CHA1jlR2. It then sots this linked 
■ data.(CHA1||R2) as plaintext and performs a first encryp- 
tion E, according to the first encryption algorithm using 
C " " an authentication key K1 , which is provided beforehand 
' only to authorized devices, as the encryption key. It then 

• 30 sends the resulting cryptogram E 1 (K1 , CHA1||R2) to the 
supplier device 15. 

It should be noted here that this cryptogram RE- 
SCH A is both the response data in reply to the challenge 
data CHA1 sent from the supplier device 15 and the 
35 challenge data for the supplier device 1 5. 

\Step_S25 

On receiving this data RESCHA, the supplier device 
40 1 5 sets it as a cryptogram and performs the first decryp- 
tion D A according to the first encryption algorithm, using 
the authentication key K1 , which is provided beforehand 
only to authorized devices, as the decryption key. 

* * It* should be noted here that the decryption D 1 is a 
45 reversal of the process in the encryption E-, according 

to the first encryption algorithm. 

Step S26 • • . 

so Next, the supplier device 15 performs a reversal of 
the process in step S23 for the result X1_ of the decryp- 
tion D v which is to say it performs separation to obtain 
- separated data RR1 which corresponds to challenge 
data CHA1 and separated data RR2 which corresponds 
55 to random number R2. 
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Step S27 

The supplier device 1 5 then compares the separat- 
ed data RR1 with the random number R1 generated in 
step S22. 

If, as a result,- the numbers coincide, the supplier 
device 1 5 verifies that user device 1 6 is authorized. This 
is based on the observation that both devices are in pos- 
session of the authentication key K1 which is only known 
by authorized devices. . - ' 

If, on the other hand, the numbers do not coincide, 
the supplier device 15 regards the user device 16 as not 
authorized and cancels the remaining processes. 

Steps S28, S29 ^ 

The supplier device 15, having authenticated the - 
device withwhiclvit is- in communication, in the above 
steps, next moves onto generating a new random, 
number K for use during secret communication and links 
this to separated data RR2. It then sets this linked data . 
(RR2(|fK) as plaintext and performs a first encryption E A 
according to a first encryption algorithm using a second 
authentication key K2, which is provided beforehand on- 
ly to authorized-devices' as the encryption- key It then 
^ends the re suiting. cryptogram E 1 (K2, RR2||K) tothe = 
user device 16. * . ■ * :. ■ : ■ 

• It should be noted here that this cryptogram (RES2) . 
serves as both the response data in reply to the chat- • 
' lenge data RESCHA sent from the user device 16 and. 
as the distribution of the shared key K for secret com:, 
munication: ■ ^ ' ' 

Step S30 -< 

On receiving this data RES2, the user device 16 
sets it as a cryptogram and performs a decryption D t 
according to the first encryption algorithm using the sec- 
ond authentication key K 2 provided beforehand as the 
• decryption key. 

Step S31 ■ - * ■ ' . \- 

Next, the user device 1 6 pert orms'a reversal of the 
process in step S28 for- the result X2 of the decryption 
D 1( which is to say it performs separation to obtain sep- 
arated data RRR2 which corresponds to response data- 
RR2 and separated data KK which corresponds to ran- 
dom number K. 

- Step S32 • " ■■' <• ■ - ■ 

The user device 16 then compares the separated 
data RRR2 with-the random number R2 generated in 
step S24. 

If, as a result, the numbers coincide, the user device 
16 confirms that supplier device 15 is authorized. This 
is based on the observation that both devices are in pos- 



session of the authentication key K2 which is only known 
by authorized devices. It should be noted here that when 
the separated data RRR2 and the random number co- 
incide, the separated data KK will be equal to random 
s number K. 

If, on the other hand, the numbers do not coincide, 
the user device 1 6 regards the supplier device 1 5 as not 
authorized and cancels the remaining processes. 

io Step S33 

On authenticating the supplier device 15 in the 
steps given above, the user device 16 informs the sup- 
, ; plier device 15 of this verification. 
is- i:-By_ doing so. the two-way authentication is positively 
completed at the same time as the provision of the 
. ..shared key K for the following secret communication is 
. completed. 

20 : Steps 634, S35 , 

The supplier device 15 then sets a copy of the title 
as plaintext and performs encryption E 2 according to a 
second encryption algorithm using the shared key K as 
zs the- encryption key, before transferring the encrypted ti- 
tle to user device 1 6. _ 

« ; ■, Step S36 : 

-30 On receiving the encrypted title, the user device 16 
» sets it as a- cryptogram and.performs decryption D 2 ac- 
cording to the second encryption algorithm using the 
shared key.K as the decryption key 

It should be-noted here that the decryption D 2 is a 
35 reversal of the process in the encryption E 2 according 
to the second encryption algorithm. 

By means of the above procedure, a copy of the title 
in the possession of the authorized supplier device 15 
- can be cfistr jbuted to the authorized user device 1 6, with 
. 40 , eavesdropping by a third communication device during 
. . distribution being prevented. 

. - . - . However, there are the following drawbacks with 

- ■ the verification method described above. 
. „! - (1) In order to perform two-way verification; both de- 
45 vices require large-scale logic circuits which prevent re- 
. .-ductions in the size of the equipment. 
J.,,.. In general, a more complex and hence more secure 
encryption algorithm is used in the authentication step 
than in the secret communication step. Here, a title corn- 
so prises a huge amount of data, so. that while from the 
viewpoint of transfer time it is necessary to perform the 
encryption and decryption of the title in a short time, only 
-...a negligible. amount of data is used by the challenge data 
and response data in comparison to the title data, so 
55 that there are no effective restrictions on the .amount of 
- ; data used. v Moreover, it is more important that a complex 
, encryption algorithm of high security be used in the au- 
■ > .thentication step in order to improve the overall security 
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of data communication. 

Here, in order to execute the authentication step, 
both devices need to be equipped with an encrypter for 
executing encryption E t and a decrypter for executing 
decryption D v 5 

If it is supposed here that each of the encrypter and 
the decrypter is composed of a logic circuit which in- 
cludes ten thousand gates, both devices will need to in- 
clude logic circuits which include over twenty thousand 
gates in order execute two-way authentication. This io 
makes the realization of compact, low-cost optical disc 
reproduction devices and image reproduction devices 
problematic. 

(2) The secret management necessary for main- 
taining the security of two-way authentication is very dit-" is 
ticult. 

In order to maintain the security of two-way authen- 
tication, the encryption algorithm. In order to do so, it is 
necessary to provide an encrypter and a decrypter only 
Lo the authorized supplier device VS.and the authorized 20 
user device 16. 

Here, for the aforementioned authentication meth- 
od, the encrypterand the decrypter provided in the sup- 
plier device 15 are the same as those which are be pro- 
vided in the- user device 16. As a result, should an un- - 25 ' 
•authorized communication device succeed in acquiring - 
the encrypter and the decrypter provided in-a supplier 
device 15, this unauthorized communication device can 
then be easily used as either a supplier device 15 or a 
user device 16. In the same way, should it succeed in 30 
acquiring the encrypter and the decrypter provided in a < .- 
user device 16, this unauthorized -communication de- • 
vice can then be easily used as. either a user device 16 
or a supplier device 15. This means that in order to main- 
tain the security of two-way authentication, it is neces- 35 
sary for the encrypter and decrypter in both the supplier 
device 15 and the user device 16 to be protected at a - 
same high level of security. 

However, since there are generally far greater 
number of title users than title distr-ibutors, it is difficult 40 
to maintain complete security for the encrypters and de- 
crypters used by all of the user devices 1 6. As a result, 
it is easy for unauthorized users to improperly obtain 
copies of titles or to improperly distribute them. 

As one example, suppose "authorization" is set as 45* 
"conforming to an established standard for optical 
discs". If in this case, the encrypter and- the decrypter 
are supplied not only lo the company which manufac- 1 
tures an optical disc reproduction device which con- 
forms to this standard but also to a large number of com- so 
panies which manufacture image reproduction devices 
which conform to the standard. Since it is -necessary 
here to maintain the secrecy of the systems, such se- 
crecy management is highly problematic. 

55 

SUMMARY OF THE INVENTION 

In view of the stated problems, it is a primary object 



of the present invention to provide a two-way authenti- 
cation device in challenge- response lormat which can 
maintain a high level of security and which is more com- 
pact than conventional devices. . 

It is a secondary object of the present invention to 
provide a two-way authentication device in challenge re- 
sponse format which allows simple secrecy manage- 
ment for maintaining the security of two-way authenti- 
cation. 

In order to achieve the above first and second ob- 
jects, the supplier device is equipped with a first authen- 
tication key and a first encrypter, with these being used 
for both the verification of the authorization of other de- 
vices and the demonstration of the authorization of the 
present device. In the same way, a user device is 
equipped with a first authentication key and a decrypter, 
with these being used for both the verification of the au- 
thorization of other devices and the demonstration of the 
authorization of the present device. Here, the encrypter 
performs an encryption which is substitutive in nature 
and the decrypter performs the reverse converse of this 
encryption, with both devices being provided with the 
same authentication key. 

The present invention is configured so that if the en- 
crypter performs an encryption which is substitutive in 
nature, plaintext is returned to its original form not only 
if decryption is performed after first performing encryp- 
tion but also if encryption is performed after first per- 
forming decryption. - - : 

Due to the above characteristic of the present in- 
vention, authentication of the user device by a supplier 
device, which has conventionally been executed by first 
having a user device perform encryption and a supplier 
device perform decryption, can be performed by a user 
device perform decryption and a supplier device per- 
form encryption. By doing so, a supplier device need on- 
ly comprise a single encrypter and a user device need 
only comprise a single decrypter to perform the same 
two-way authentication as conventional methods. This 
is to say, the present invention provides a two-way au- 
thentication device in challenge response format which 
is more compact than conventional devices but which 
surfers from no loss of security. 

. * Unlike convent bnal systems, in the present inven- 
tion the components (encrypter and authentication key) 
in the supplier device which need to be kept secret are 
different to the components (decrypter and authentica- 
tion key) in the user device which need to be kept secret, 
which means that it is easier to maintain a high level of 
security for the two-way authentication. This is to say, 
should an unauthorized communication device obtain 
the decrypter and authentication key, while such com- 
munication device may be used as a user device it can- 
not be used as a supplier device. This means that by 
maintaining an extremely level of security for secrecy 
management of the encrypter and authentication key in 
the supplier device, the most serious violation of security 
which is the use of an unauthorized communication de- 
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vice as a supplier device can be avoided. 

\ It is possible for the authentication key and the en- 
crypter in the supplier device to be combined in a single 
IC chip and for the authentication key and the decrypter 
in the user device to be combined in a single IC chip. By 
doing so, it is very difficult to decode the encryption al- 
gorithm and authentication key using a unauthorized 
communication device, which improves the security of 
two-way authentication and makes secrecy manage- 
ment simple. 

It is also possible to equip the supplier device and 
user device with a common second authentication key , 
and second encrypter, in addition to.the aforementioned 
encrypter and decrypter,. for two-way authentication. 
This is to say, the supplier device uses not only the first 
encrypter but also this second encrypter for both the ver- 
ification of the authorization of other devices and the 
demonstration of the authorization of the present de- 
vice. In the same way, the user device uses not only the, 
decrypler but also this second.encrypter for both the ver- 
ification of- the authorization- of other devices and the 
demonstration of the authorization of the present de- 
vice. By doing so, the security of the two-way authori- 
zation can be improved and; by having secrecy man- 
agement performed for this pair of second authentica- 
tion keys and second encrypters, secrecy management 
can be performed-simultaneously for both devices. 

BRIEF DESCRIPTION OF THE DRAWINGS 

These and other objects, advantages and features 
of the invention will become apparent from the following • 
description taken in conjunction with the accompanying 
drawings which illustrate a specific embodiment of the 
invention. In the drawings: ■■■ \ 

■ - Fig. 1 shows an example construction of the com- 
munication system required for two-way authenti- 
cation; ' • 

^ Fig. 2 shows- the communication sequence when, 
transferring a copy of a title in the 1 possession of a 
supplier device to a user device, according to the 
prior art; r 

Fig. 3 is a block diagram showing the composition 
of the two-way authentication system in challenge 
response format to which the first' embodiment of 
the present invention relates; 
Fig. 4A shows an example of a substitutive trans- 
formation; ■ - 

Fig. 4B shows an example of a non-substitutive 
transformation; 

Fig. 5 shows the communication' sequence when 
transferring a copy of a title inthe possession of a 
supplier device to a user device, according to the 
present embodiment of the present invention; 
Fig. 6 is a block diagram showing the composition 
of the two-way authentication system in challenge 
response format to which the second embodiment 



of the present invention relates; 
Fig. 7 shows the communication sequence when 
transferring a copy of a title in the possession of a 
supplier device to a user device, according to the 

5 second embodiment of the present invention; 

Fig. 8 is a block diagram showing the composition 
of the two.-way authentication system in challenge 
response format to which the third embodiment of 
. the present invention relates; t 

10 ,-Fig. 9 shows the phase transition and data ex- 
changes when transferring a copy of a title in the 
. possession of a supplier device to a user device via 
an SCSI bus; and 

Fig. 10 shows an example construction of an 8 bit 
is , , data encrypter which is substitutive in nature. 

-DESCRIPTION OF THE PREFERRED 
. EMBODIMENTS 

20 First Embodiment 

A block diagram showing the composition of the 
two-way authentication system in challenge response 
format to which the first embodiment of the present in- 
25 ypntion relates is shown in Fig. 3. - ■ 

. This system is composed of a supplier device 70 
i - :and a user device 90 which are connected via a.network 
■ , 85. 

, r » The supplier device 70 is a communication device 
( 30 for supplying a copy of a title for which it holds the rights 
: to an authorized user device 90. and is made up of send- 
ing/receiving unit 86, construction elements for princi- 
pally performing the authentication step (these being a 
. first random number^generator 71 , a encryption module 
35, 74, a separator 75, a.comparator 76, a second random 
number generator. 77< and a linking unit 78) and con- 
struction elements for principally performing the secret 
communication step (these being a shared key tempo- 
rary storage unit 79, an encrypter 80 and a title storage 
^40 , U nit 8-1 ). .The operation timing of these construction el- 
■ - . ements is ; controlled by a system controller which is not 
,i illustrated. . » . „ ... 

■ The sending/receiving unit 86 is made up of a signal 
level transformer or the like, and executes the both data 
45 , transmission to the network 85 and data reception from 
: the network 85. 

^ .- The first random number generator 71 generates a 
32-bil random number as the challenge data for the user 
device 90. 

50-. ■ The encryption module 74 is a single IC chip which 
performs the encryption for the authentication step, and 
. „ includes an encrypter 72 for performing encryption £ A 
, using a first encryption algorithm and an authentication 
key storage unit 7i3 for storing a secret 64-bit authenti- 
55 cation key KS which are combined in its internal con- 
struction. As one example, this encryption module 74 
can conform to Data Encryption Standard (hereinafter, 
- DES) and be of "substitution" type. The details of "sub- 
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stitution" are described later in this specification. 

The separator 75 separates the 64-bit data from the 
encrypter 72 into two sets of separated data which are 
the higher-order 32 bits and the lower-order 32 bits, be- 
fore transferring the former to comparator 76 and the 5 
latter to linking unit 78. 

The comparator 76 compares the random number 
from the first random number generator 71 and the sep- 
arated data from the separator 75 and judges whether 
the two coincide. . *o ■ 

The second random number generator 77 gener- 
ates a 32-bit random number for the shared key to be 
used in the secret communication steppnly after receiv- 
ing notification from the comparator 76 that the two num- 
bers coincide. 15 

The linking unit 78 generates 64-bit data by setting 
the separated data from the separator 75 as the higher- 
order 32 bits and the random number generated by the 
second random number generator 77 as the lower-order 
32 bits. 20 

The shared key temporary storage unit 79 tempo- 
rarily stores the one random number sent from the sec- 
ond random number generator 77. Then, only after re- 
ceiving notification of positive authentication from the 
user device 00, the ehsred key temporary storage unit ? 5 
79 sends the stored random number, which is to say the 
shared key K, to encrypter 80. 1 * 

The title storage unit 81 is made up of r an optical 
disc for storing a movie or the like according to an es- " 
tablished standard and a reproduction device for the 30 
disc. It stores the title data to be supplied to other au- - 
thorized communication devices. 

The encrypter 80 performs encryption E 2 using the 
second encryption algorithm. It sets 64-bit units of data 
read from the title storage unit 81 as plaintext and per- 35 
forms encryption using the shared key K sent from the 
shared key temporary storage unit 79 as the encryption 
key. As one example, this second encryption algorithm 
can be a substitution encryption performed for 64-bit ■ 
units. 40 

On the other hand, the user device 90 is a commu- 
nication device which is authorized to receive the copy . r 
of the title from the supplier device 70 and to perform 
predetermined processing, with the user device 90 be- 
ing composed of a sending/receiving unitB7, construe- - 45 
tion elements principally for performing the authentica- 
tion step (a first random number generator 94, a linking 
unit 95,- a decryption module 93, a separator 96 and a 
comparator 97) and construction elements , principally 
for performing the secret communication step (a shared so 
key temporary storage unit 98, a decrypter 99 and a title 
processing unit 89). The operation timing of these con- 
struction elements is controlled by a system controller 
which is not illustrated. 

The sending/receiving unit 87 has the same func- ss 
tions as the sending/receiving unit 86. 

The first random number generator 94 generates a. 
32-bit random number for the challenge data for the sup- 
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plier device 70. 

The linking unit 95 generates 64-bit data by setting 
the challenge data from the user device 90 as the higher 
order 32 bits and a random number from the first random 
number generator 94 as the lower order 32 bits. 

The decryption module 93. is a single IC chip which 
performs the decryption for the authentication step and 
includes a decrypter 91 for performing decryption us- 
ing the first encryption algorithm and an authentication 
key storage unit 92 for storing a secret 64-bit authenti- 
cation key KS which are combined in its internal con- 
struction. This decryption D 1 is the reverse of the en- 
cryption E,. Here, the authentication key KS stored by 
remote control reception unit 92 is the same as that 
stored by the authentication key storage unit 73. 

The separator 96 separates the 64-bit data from the 
decrypter 91 into two sets of separated data made up 
of the higher order 32 bits and the lower order 32 bits. 
It sends the former to the comparator. 97 and the latter 
to the shared key temporary storage unit 98. 

The comparator 97 compares the random number 
from the first random number generator 94 with the sep- 
arated data from the separator 96 and judges whether 
the two coincide. 

The shared key temporary storage unit 98 tempo* 
rarily stores the separated data sent from the separator 
96. However, only after receiving notification of coinci- 
dence from the comparator 97 does the shared key tem- 
porary storage unit 98 send a notification of such to the 
supplier device 70 and send the separated data, which 
is to say the shared key, to the decrypter 99. 

The decrypter 99 performs decryption D 2 according 
to the second encryption algorithm. In doing so, it sets 
the 64-bit data units which are sent from the supplier 
device 70 and which compose the title as plaintext and 
decrypts them using the shared key K sent from the 
shared key temporary storage unit 98 as the decryption 
key. This decryption D 2 is a reverse of the processing in 
encryption. E 2 . 

The title processing unit 89 can be made up of a 
device for image reproduction of image data according 
to an established standard 'and performs the reproduc- 
tion processing of the. data sent from the decrypter 99. 

The following is an explanation of "substitution". 
The explanation supposes that encryption E performs 
the transformation E() of group SI to group S2 while the 
corresponding decryption performs reverse transforma- 
tion D(). 

In the above case, the classification of E() as a sub- 
stitution means that the following three conditions are 
satisfied. 

1. S1 = S2. 

2. E() is a monomorphic. 

3. E() is a epimorphic. 

Here, E() is monomorphic because for unknown x 
and y in S1 , the relation x=y is valid when E(x)=E(y). E 
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() is epimorphic because for any unknown z in S2, there 
is an unknown w in S1 which satisfies E(w)=7. It should 
be noted here that if E() is a substitution, D() must also 
be a substitution. 

The following explanation deals with the above on 
the relationship between E(), and D(). 

Firstly, if E() is epimorphic, since D() is the reverse * 
transformation of E(),* for. any unknown x in S1 , the result * 
D(E(x)), which is the reverse transformation using D() 
of the result E(x) when x has been converted using E 
(x), will be equal to x. This is to say, the following Equa- 
tion 1 is satisfied. 

x = D(E(x)) ' .'(Equation 1) 

Here, since S1=S2, for any unknown x in Si, the 
result D(x) of reverse transformation using D() will be an . 
unknown in Si. Accordingly, D(x) can be substituted for 
x in Equation 1 to give Equation 2 below.. 

D(x) = D(E(D(x))) (Equation 2) 

* Also, since D() is monbmorphie, Equation 3 below 
can be established from Equation 2. 

. * x-E(D(x)) . (Equation 3) 

The above Equation 3 states that the result E(D(x)) 
which is given by converting the result D(x), obtained by 
having reverse converted an arbitrary unknown x using < 
D(), according to E() is equal to x. 

As can be seen from Equations 1 and 3 above, for 
encryption techniques which are substitutive. in nature, 
both decryption after encryption and encryption after de- 
cryption result in a return to the original plaintext. The 
encryption technique used by the present system is 
such a substitution. 

Here, in order to assist the reader's understanding, 
examples of substitutive transformation and non-substi- 
tutive transformation-will be given, with the former being 
shown in Fig. 4A and the latter being shown in Fig. 4B. - 
Here, S1 and S2 are groups based on ali of the data 
which can be expressed using three bits, with the cor- ... 
respondence between elements in.S1 and.S2 being 
shown by the arrows. In the transformation shown in Fig. 
4B, neither the condition of monomorphism nor that of 
epimorphism are satisfied. 

The following is an explanation of the operation of 
the present system with reference to the sequence 
shown in Fig. 5. 

Fig. 5 shows the communication sequence when a 
copy of a title belonging to the authorized supplier de- 
vice 70 is transferred to the authorized user device 90. 
This drawing corresponds to Fig- 2 in the prior art section 
and shares many steps with the prior art example. The 



differences lie in encrypter and decrypter used in steps 
S43. S45, S48 and S50. Each step in Fig. 5 is explained 
below with reference to the block diagram in Fig. 3. 

5. Steps S41 , S42 

First, the first random number generator 71 in the 
supplier device 70 generates random number R1 and 
transmits it as challenge data CHA1 to the user device 
10 90 via the sending/receiving unit 86 and the network 85. 

Steps S43, S44 • : - 

On receiving the.challenge data CHA1 via the send- 
is ing/receiving unit 87, the linking unit 95 in the user de- 
. vice 90 obtains random number R2 from the first random 
... number generator 94 as challenge data for the supplier 
device* 70, and links these two as the data CHA1||R2. It 
then sends this linked data (CHA1||R2) to the decrypter 

20 91. 

• , The decrypter 91 sets this linked data (CHA1||(R2) 
- as a cryptogram and performs decryption D 1 according 

to the first encryption algorithm using the authentication 
key KS stored in the authentication key storage unit 92 

25 as the decryption key. It should be noted here that while 
/ in step S23 of the prior art the linked data (CHA1||R2) 
was subjected to encryption E t , for the present system 

. the linked data is subjected to decryption , with these 
.two.processes being different. 

30 The message 0^ (KS,CHA1||R2) obtained from the 
- decryption is the response data to the challenge data 
CHA1 and is transmitted to the supplier device 70 as the 
challenge data RESCHA for supplier device 70. 

35 ;■• step S45 t 

• On receiving this data RESCHA, the encrypter 72 
sets it as plaintext and performs.encryption E, according 
: to the first encryption algorithm using the authentication 
40 key KS stored in the authentication key storage unit 73 
... as the encryption key. It should be noted here that while 
•in step S25 of the prior art the data RESCHA was sub- 
jected to decryption , for the present system the linked 
; data ;is subjected to encryption E-, , with .these two proc- 
uresses being different. 

■ In this way, for plaintext CHA1, the present system 

performs encryption (step S45) after first performing 

* - decryption (step S43), which, as can be seen from 

, Equation 3, returns the data to the original plaintext 
so. CHA1. 

< Step S46 . ■ . 

Next, the separator 75 separates the result X1 of 
55 the encryption £ A by the encrypter 72 and sends the 

separated data RR1 corresponding to the challenge da- 
. • ta CHA1 to the comparator 76 and the separated data 

RR2 corresponding to random number R2 to the linking 
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unit 78. 



temporary storage unit 96. 
Steps S52. S53 



Step S47 

On receiving the separated data RR1, the compa- 
rator 76 compares this separated data RR1 with the ran- 
dom number R1 received from the" first randomn umber 
generator 71 and notifies the second random number 
generator 77 of the comparison result. .'* . • 

Steps S48, S49 

On" receiving notification of coincidence from the 
comparator 76, the second random number generator 
77 generates random number K for the shared Reyand 
sends it to the linking unit 78 and to the shared key tern- . 
porary storage unit 79.- This 'equates to the case when 
the supplier device 70 has been able to confirm that the 
user device 90 is authorized. 

On the other-hand, on receiving notification of non- 
coincidence from the. comparator 76, the second ran- 
dom number generator 77 does not generate random 
number K and so does not perform the processing de- 
scribed above. This equates to the case when the sup- 
plier device 70 has not been able- to confirm that the user 
device 90 is authorized- * 

' On receiving the shared key K, the -linking 'unit 78 
links the shared key K with the separated data RR2 from 
the separator 75 and sends' this linked data (RR2||K) to 
the encrypter 72 

The encrypter 72 sets- the linked data- (RR2||(K) as 
plaintext and performs encryption E A according to the 
first algorithm using the authentication key KS stored in 
the authentication key storage unit 73 as the encryption 
key. The cryptogram (KS : RR2||K) thus obtained is 
then sent to the user device 90 as the response data 
RES2 in reply to the challenge data RESCHA. 

By doing so/the supplier device 70 can check the 
response data from the user device 90 (step S45) and 
generate response data to be sent to the user device 90. 
(step S48) using only one encryption-module 74, which 
was'not possible under the prior art. * * 

Step S50 

On receiving this data RES2, the decrypter 91 sets 
it as plaintext and performs decryption D 1 according to 
the first encryption algorithm using the authentication 
key KS stored in the authentication key storage unit 92 
as the encryption key. ,;-»-•= 

Step S51 

Next, the separator 96 separates the result X1 of 
the decryption D, by the decrypter 91 and sends the 
separated data RRR2 corresponding to the separated 
data RR2 to the comparator 97 and the separated data 
KK corresponding to the shared key K to the shared key 



s . On receiving the separated data RRR2, the compa- 
rator 97 compares this separated data RRR2 with the 
random number R2 received from the first random 
number generator 94 and sends notification of the com- 
parison result to the shared key temporary storage unit 
98. 

The shared key temporary storage unit 98 tempo- 
rarily stores the separated data KK received from the 
separator 96. On receiving notification of coincidence 
from the comparator 97, the shared key temporary stor- 
age unit 98 sends notification of this to the supplier de- 
vice 70 and sends the separated data KK (which is the 
same as the shared key K) to decrypter 99. This equates 
to the case when the user device 90 has been able to 
confirm that the supplier device 70 is authorized. This is 
to say, Ihe two-way authentication is positively complet- 
ed at the same time as the provision of the shared key 
K for the following secret communication is completed. 

On the other hand, on receiving notification of non- 
coincidence from the comparator 97, the shared key 
temporary storage unit 98 does not perform transmis- 
sion to the supplier device 70 or to the decrypter 99. 
Accordingly, the following processes described above 
are* not performed.. This equates to the case when the 
user device 90 has not been able to confirm that the sup- 
plier device 70 is authorized. . 



On receiving notification of .positive authentication 
from the user device 90, the shared key temporary stor- 
age • unit 79 sends the previously-stored random 
number, which is to say shared .key K, to the encrypter 
80 which performs the encryption E 2 according to the 
second encryption algorithm. 

The encrypter 80 sets a copy of the title stored in 
the title storage unit 81 as plaintext and performs en- 
cryption E 2 according to the second encryption algo- 
rithm, using the shared key K sent from the shared key 
temporary storage. unit 79 as the encryption key, before 
45 transferring the encrypted result to the user device 90. 

Step S56 

On receiving the encrypted copy of the title, the de- 
so crypter 99 sets this as a cryptogram and performs de- 
cryption D 2 according. to the second encryption algo- 
rithm using the shared key K sent from the shared key 
temporary storage unit 98 as the decryption key. 

By doing so, the authentication step and secret 
ss .communication step are completed as in the prior art. 
This is to say, if a same encryption algorithm is used as 
in the prior art, the authentication step and secret com- 
munication step for the present invention will be just as 
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secure as in the prior art. 

However, as can be clearly seen from Figs. 2 and 
5, the authorized supplier device 1 5 and the authorized 
user device 1 6 in the prior art both include an encrypter 
and a decry pter, .while for the present system, the sup- 
plier device 70 only contains an encrypter 72 and the 
user device 90 only contains a decrypter 91 . 

The above construction is possible since the en- 
cryption algorithm used by the encrypter 72 and the de- 
crypter 91 is a substitution and since a same encrypter 
(or decrypter) is used both to check the authorization of 
the other device and to prove the authorization of the 
present device. 

Accordingly, for the present system, the supplier de- 
vice 70 no longer needs the decrypter which, was used 
in the prior art and the user device 90 no longer needs 
the encrypter. which was used in the prior art, so that 
both devices can be made more compact 

At. the same time, secrecy management for main- 
taining the securityof two-way authentication becomes 
moie simple with the present system. This is because - 
the mechanism (the encryption module 74) to be kept r 
secret for the supplierdevice-70 is different from the 
mechanism" (decryption module 93) to be kept. secret for 
the user device 90. 

This is to say should an unauthorized communica- 
Uondevtce succeed in acquiring the encryption- modules 
74. while this unauthorized communication device may . 
bo used as an authorized supplier device 70, it cannot, 
be used as an authorized user device 90 Similarly, white 
an unauthorized communication device which has ac- 
quired the decryption module 93 may be used as an au- 
thorized user device 90. it cannot be used as an author- 
ized supplier device. 70 
> ^ As a result, as one example, by performing the se-- 
crecy. management of the encryption module 74 sup- 
plied to companies which manufacture the authorized 
' supplier device 70 more securely than the secrecy man- 
agement of the decryption module 93 supplied to com- 
panies which manufacture the authorized user device; 
90, the worst possible violation of secrecy can be avoid- 
ed. This is to say, even if an unauthorized user can view 
titles, they will still not be able to perform the tnore sig- 
nificant violation of secrecy which is the unauthorized 
supply of such titles. : . 

Second Embodiment 

* The following is an explanation of the two-way au- 
thentication system of ^challenge nespbnse format to 
which the second embodiment of the present invention 
relates. The present system features an improvement 
in the security of the two-way. authentication over the 
system in the first embodiment. * " 

Fig. 6 is a block diagram showing the composition 
of the two-way authentication system in challenge re^ 
sponse format to which this second embodiment o1 the 
present invention relates. 



As can be seen by comparing the present figure 
with Fig. 3, in the present system the supplier device 
170 includes a new encryption module 84 in addition to 
the construction elements of the supplier device 70 in 
5 the first embodiment and the user device 190 includes 
, , a new encryption module 103 in addition to the construc- 
tion elements.of the user device 90 in the first. embodi- 
ment. It should be noted here that the construction ele- 
ments in Fig. 6 which are the same asthose in the sys- 
10 tern of the first embodiment have been given the same 
reference numerals. 

The encryption modules 84, 103 are each made up 
■of a single. I C chip which performs the. encryption for the 
. authentication step, with an. encrypter. (respectively 82, 
'5 1 : 01 ) for performing encryption E 3 using a third encryp- 
- / \. tion algorithm and an authentication key storage unit (re- 
spectively 83. 102) for storing a second authentication 
♦ key KS . being combined in each, of their internal con- 
structions. This is to say, the encryption module 84 and 
20 : the. encryption module 1 03 have the same construction 
[elements, with these being different for the encryption 
module 74, the encrypter 80, the decryption module 93 
and the decrypter 99. This encryption E 3 according to 
: the third encryption algorithm can, for example, be a 
2§ . substitution encryption performed for 64-bit units. 

As can be seen from Figs. 3 and 6, in addition to 
» . thermovision of encryption modules 84 and 103, theda- 
■. v.ta-transfer circuits in each of the communication devices 
• are different in part to those in the first embodiment 

The following is an explanation of the operation of 
"the : present system with reference to the communication 
sequence shown in Fig. 7. The explanation will focus on 
the differences in processing content to the first embod- 
iment. 

; Steps S14VS142 - . •; 

First, the first random number generator 71 gener- 
ates random; number RT and transmits it to the user de- 
.40 vice 190. as. challenge data CHA1 for the user device 
t 190 in the same way as in the first embodiment. How- 
ever, unlike the first embodiment it also sends the ran- 
dom number R1 to the encrypter 82. 

45 step S143 

.- ■ ..The encrypter 101 receives the challenge data 
CHA1 from the supplier device 1/0. 

The encrypter 101 sets this challenge data CHA1 
so as an cryptogram and performs encryption E-, according 
to the third encryption algorithm using the second au- 
thentication key KS2 stored in the authentication key 
storage unit 102 as the decryption key 
: x ■ * This step is added to the sequence used in the first 
55 embodiment- to improve .the security of the authentica- 
. < tion.of the user device 190, by the supplier device 170. 
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Steps S144, S145 

The first random number generator 94 generates 
the random number R2 as the challenge data for the 
supplier device 170 and sends it to the linking unit 95 in 
the same way as in the first embodiment, but, unlike the 
first embodiment, also sends the random number R2 to 
the encrypter 101: 

The linking unit 95 links the cryptogram X1 obtained 
in step S143 and the random number R2 generated by 
the first random number generator 94. 

The decrypter 91 sets the linked data (X1||R2) from 
the linking unit 95 as a cryptogram and performs decryp- 
tion D 1 according to the first encryption algorithm using 
the authentication key KS stored in the authentication 
key storage unit 92 as the decryption key. If then sends . 
the obtained data RESCHA to the supplier device 170 
as both the response data and as the challenge data. 

In this way, while the challenge data CHA1 -from the * 
supplier device -170 was inputted directly into the de- 
crypter 91 in the first embodiment, in the present system 
it is subjected to encryption E 3 by encrypter 101 before . 
being inputted into the decrypter 91 . 

Sto p S 1 46 S 1 47 " 

The processing in these steps is equivalent to the 
reverse of the processing in step S144 and is the same 
as the processing in steps S45 and S46 in the first em- 
bodiment. 

This is to say: the data X2 obtained by the process- 
ing in step SI 46 corresponds to the linked data (X1||R2). * 
The separated data XX1 obtained in step S147 corre- 
sponds to cryptogram X1 and the separated data RR2 
corresponds to random number R2. Note here that the' 
separator 75 sends the separated data RR2 to the en- 
crypter 82. 

Step S 148 : ■-. . t - . .. - . . 

The* encrypter 82 which received the randonrr 
number R1 from the first random number generator 71 
in step S141 sets this random number as plaintext and 
performs encryption E 3 according to the. third encryption • 
algorithm using the authentication key KS2 stored by the- 
authentication key storage unit 92. 

This step corresponds to step_Sl 43 for .the user de- ' 
vice 1 90. This is to say, the cryptogram X3 obtained from, 
encryption E 3 in step SI 48 corresponds to the crypto- 
gram X1- obtained from encryption E 3 in step*S143 and . 
also corresponds to the separated* data* XX 1 obtained 
from the separation in step S147. - 

It should be noted herd that the* processing in this 
step S1 48 is performed at-the same time as the process- 
ing in steps S146 and S147, since it is hot necessary for 
these steps to follow one another.**'- -* . _ 

• > .1 . . «. " ' i. * - • .* *■'■*! 



- Step'S 149 

On receiving the separated data XX1 from the sep- 
arator 75, the comparator 76 compares the separated 
5 data XX1 with the cryptogram X3 received from the en- 
crypter 82 and notifies the second random number gen- 
erator 77 of the comparison result. 

Step S150 

10 

Having received the separated data RR2 from the 
separator 75 in step S1 47, the encrypter 82 sets the sep- 
arated data RR2 as plaintext and performs the encryp- 
tion E 3 according to the third encryption algorithm using 
75 . the authentication key KS2 as the encryption key. It then 
sends the resulting cryptogram X4 to the linking unit 78. 
This step is added to.the sequence used in the first 
. embodiment to. improve the security of the authentica- 
i : tion of the supplier device 170 by the user device 190. 
20 it should be noted here that the processing in this 
step S 1 50 is performed at the same time as the process- 
ing in steps. S1 49, since it is not necessary for these 
■- steps to follow one another. 

25 Stops S151, S152 

On receiving notification of coincidence from the 

* > comparator 76, the second random number generator 
77 generates a random number K for the shared key 

30. and transfers.it to the linking unit 78 and to the shared 
key temporary storage unit 79. This equates to the case 
when the supplier device 170 has been able to confirm 
that the user device 190 is authorized. 

On the other hand, on receiving notification of non- 
55, coincidence from the comparator 76, the second ran- 
dom number generator 77 does not generate a random 
■ / .number K and does not perform the following process- 
. es. This equates to the case when the supplier device 

• . 170 has not been able to confirm that the user device 
40. 190 is authorized. 

On receiving the shared key K, the linking unit 78 
links the shared key K with the cryptogram X4 from en- 
crypter 82 and sends this linked data (X4||K) to the en- 
\,crypter72. . . ( 
45 . The encrypter 72 sets the linked data (X4||K) as 
. ^ plaintext.and performs encryption E 1 according to the 
* ■ first algorithm using the authentication key KS stored in 
the authentication key storage unit 73 as the encryption 
key. The cryptogram E-, (KS,X4||K) thus obtained is then 
50, sent to the user device 90 as the response data RES2. 

Steps S153, S154 

The processing in these steps is the equivalent of 
•55 a reverse of the processing in step S1 51 and is the same 
as the processing in steps S50 and S51 in the first em- 
bodiment. 

This- is to say, the data X5- obtained from the 
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processing in step S153 corresponds to the linked data 
(X4||K). In the same way, the separated data XX4 ob- 
tained by the processing in step S154 corresponds to 
the cryptogram X4 and the separated data KK .corre- 
sponds to the shared key K. 

Step S155 

The encrypter 101 sets the second random number • 
R2 which it received from the first random number gen- 
erator 94 in step S1 44 as plaintext and performs encryp- 
tion E 3 according to the third encryption algorithm using 
the authentication key KS2 stored in the authentication 
key storage unit 102 as the encryption" key. 

This step corresponds to step S150 in the supplier 
device 170. This is to say, the cryptogram X6 obtained 
from encryption E 3 in this step corresponds to the cryp- 
togram X4 obtained from encryption E 3 in step J S150 and 
so also to the separated data XX4 which is obtained by 
the separation in slep S1 54. - 

- It should be noted here that the processing in this 
step S1 54 is performed at the same time as the process- 
ing in steps S153, since it is not necessary for these 
steps to follow one another. 

Steps S156, S157 

The comparator 97- compares the separated data-. 
XX4 from the separator 96 and the cryptogram X6 from 
the encrypter 101 and informs the shared key temporary 
storage unit 98 of the comparison result. 

- The shared key temporary storage* unit 98 tempo- 
rarily stores the separated data sent from the separator 
96. On receiving notification of coincidence from the- 
comparator 97, the shared key temporary storage unit 
98 informs the supplier device 170 of this result and 

" sends the separated data KK (which correspond to the 
shared key K) to the decrypter 99. This equates to the 
case when the user device 1 90 has been able to confirm 
that the supplier device 1 70 is authorized. This is to say, 
the two-way authentication is positively completed at the 
same time as the provision of the shared key K for the 
following secret communication is completed. 

On the other hand, on receiving notification of non-- 
coincidence from the comparator 97, the shared key. 
temporary storage unit 98 does not perform transmis- 
sion to the supplier device 170 or to the decrypter 99. 
Accordingly, the following- processes described above 
are not performed. This equates. to the case when the 

* user device 190 has not been* able to confirm -that the 
supplier device 170 is authorized. 

Steps S158-S160 

"The processing in these steps is the same as the 
processing in steps S54-S56 in the first embodiment so 
that no explanation will be given. 

By means of the above processing, a copy of a title 
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in the possession of an authorized supplier device 15 is 
distributed only to authorized user devices, with eaves- 
. . dropping by a third communication device during distri- 
bution being prevented. 

s . . As can be seen by comparing the sequences in Fig. 
S and Fig. 7, steps S143, S148, S150and S155 in Fig. 
7 have been added to the processing in the sequence 
for the first embodiment. This is to say, the supplier de- 
- vice 170 and the user device 1 90 are equipped with en- 

10 , cryption modules 84 and 10 3, for performing encryption 
E 3 according to. the third encryption algorithm, which 
were not.provided to the supplier device 70 and the user 
device 90 in the first embodiment. Furthermore, in order 
to check the authorization of user devices and to prove 

is its own T authorization, the supplier . device 170 uses not 
• ,; only the encryption module 74 but also a second encryp- 
tion module. 84. In the same way, in order to check the 
.authorization of, a supplier device and to prove its own 
authorization, the user device 1 90 uses not only the en- 

20 cryption module 93butatsoa 1 second encryption module 

■ 103. . : s- 

■ . • ; Due to the construction and processing described 

above, the system of the second embodiment has all of 
the advantages of the system of the first embodiment, 
25 while at the same time incrcasing;tho security of the two- 
way authentication process. 
... ... . It should be> noted here that since the encryption 

■ ■ «■> .module 84 in the supplier device 1 70 is the same as the 
.. * encryption module 103 in the user device 190, secrecy 
30 management for these modules should be performed 

- more- securely than for the encryption module 74 and 

■ v \the decryption module 93- This can be effectively real- 
* ized, for example, by using a separate IC chip for each 

. of the encryption module 84, the encryption module 103, 
. 35 the system controller in supplier device 1 70 and the sys- 
tem controller .in user device 190. By doing so, the se- 
curity of the two-way authentication process can be im- 
proved by increasing the security with which secrecy 
management for the encryption module 74 and the de- 
40 cryption module 93 is performed. 

; As described above, while improving the security of 

- the two-way authentication, the. present system has the 
; . ■ .advantage of. enabling secrecy management for both 
' .. . \ communication devices to be achieved through secrecy 
45 v - management of one encryption module. 

• ^ Third Embodiment 

* • The following is an explanation of the two-way au- 
50 thentication system of challenge response format to 
- . which the third embodiment of the present invention re- 
lates. The present system equates to.the case where a 
transfer procedure for an SCSI (Small Computer Sys- 
tem Interface) which is a representative standard input/ 
55 output interface is^used in the authentication step and 
the secret communication step of the system in the first 
embodiment. 

Fig. 8 is a block diagram showing the composition 
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of the two-way authentication system in challenge re- 
sponse format to which this third embodiment of the 
present invention relates. 

As can be seen by comparing the Fig. 3 and Fig. 6, 
SCSI controllers 210, 220 have respectively been add- 
ed to the supplier device 70 and the user device 90 of 
the first embodiment. Each of SCSI controllers 210, 220 
is made up of a CPU, ROM, RAM and the like and ex- 
ecutes processing which is standardized for SCSI. 

In the present system, the supplier device 270 is an 
optical disc reproduction device, the user device 290 is 
a host system, the network-85 is an SCSI bus, the send- 
ing/receiving unit 86 is an I/O controller for SCSI and 
the sending/receiving unit 87 is a host adapter. 

For SCSI, a pair of devices first occupy the bus and 
then perform data transfer of the object data by advanc- 
ing through the four phases called "command", "data", 
"status" and "message".- As one example, the phase 
transition when a first device reads data from a second 
device is as shown below. . - v 



* Step S203 (Status Phase) 

The supplier device 270 informs the user device 
290 of the execution result of the aforementioned au- 
s thentication command. 

Step S204 (Message Phase) 

The supplier device 270 sends a message ("com- 
io mand complete") to the user device 290. By doing so, 
the two-way authentication and the establishment of the 
secret key K are completed. 
. Next, the following exchanges are performed. 

is . Step S205 (Command Phase) 

The user device 290 sends a secret communication 
■ command to the supplier device 270. 

20 Step S206 (Data Phase) . .. 



1. Command phase: the -first device transmits a 
command (READ) to the second device. : 

2. Data phase: the second device sends data of the 
dccigriutcd length to the first d^^'c* 

3 Status phase: the second device reports its sta- 
tus (the execution result of the above command) to 
the first device. - * 

4 Message phase: the second device sends a mes- 
sage to the first device (command complete) < 
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The supplier device 270 encodes the title using the 
secret key K established in step S202 and sends a title 
data of- a specified data length to the user device 290. 

-Step S207 (Status Phase) 



..-*•*.. The supplier device 270 informs the user device 
- • 290 of the execution result of the aforementioned secret 
30 communication command. 



Here, since the definition of vendor unique com- 
mands is permitted for SCSI,- the authentication com- 
mand and the secret communication command are 
uniquely defined in the present embodiment. More spe- 
cifically, the SCSI controllers 210. and 220 contain 
processing programs which correspond to these com- 
mands in their internal ROMS. ; 

Fig 1 . 9 shows the phase - transition and data ex- 
changes when transferring a copy of a title in.the pos- 
session of the supplier device 270 to the user, device? 
290 via the SCSI bus. These data "exchanges are per- 
formed according to control operations by SCSI control- 
lers 210 and 220. 

Step S201 (Command Phase) • 

The user device 290 sends an authenlication com- 
mand to the supplier device 270. 

Step S202 (Data Phase) 

Data is exchanged between the user device 290 
and the supplier device 270 according to .the authenti- 
cation step (steps S41-S53 in Fig. 5). 



. Step S208 (Message Phase) 

The supplier device 270 sends a message ("com- 
>3S_ mand complete") to the user device 290. By doing so, 
,the transfer of title data using secret communication is 
' - completed. 

By means of the above procedures, the present 
system can perform two-way authentication and secret 
; 40- communication adapted to an SCSI. 

. The; following is an explanation of the disconnect 
.and reconnect functions with which the present system 
is equipped. 

Under SCSI, disconnect and reconnect functions 
45 are defined to enable efficient use to be made of the 
. SCSI bus. Here, one example is when seek time (the 
. .time taken for move the head position) -becomes nec- 
■ essary when an optical disc reproduction device exe- 
cutes a command to read a large amount of data from 
so an optical disc, In such a situation, there is a holdup in 
the reading of data from the optical disc, reproduction 
device so that the SCSI bus is temporarily unused. In 
such a situation, the efficiency with which the SCSI bus 
is used can be improved by both devices temporarily 
55 disconnecting from the bus to allow use by other devices 
„ - and then requesting to reconnect to the SCSI bus once 
the necessary preparations for data transfer have been 
. made. , 
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The problem with the above procedure is the dan- 
ger of an unauthorized third party joining the communi- 
cation when the above kind of disconnect and reconnect 
operations are made. Accordingly, when both devices 
resume communication after a- reconnect, it is neces- 
sary to have both devices agree on a method for exclud- - 
ing unauthorized devices. 

The present system overcomes the aforementioned 
problem by having the supplier device 270 and the user 
device 290 establish the following before disconnecting. 

Whether to perform two-way authentication accord- 
ing to the procedure described'above (steps 
S201-S204) every time a reconnect is performed, 
whether to perform a simplified authentication of on- 
ly one of the devices or whether to not perform au- 
thentication at all. • 

Whether to establish a new secret key according to : 
the procedure described above (steps S201-S204) ; 
when a reconnect is per formed, or wh ether Lo per- 
form data transfer using the same secret key as be- 
fore. ■ — - * : - •'- "' '• ■ 

More specifically, by informing the user device 290 . 
of a procedure stored beforehand in the SCSI controller 
210, both communication devices iend .up .storing the 
same information about disconnects and reconnects. . 
Accordingly; when a reconnect is performed, communi- 
cation devices 270 and 290 perform such processes as 
aulhentication and the establishment of a secret key in 
accordance with the stored information. By doing so, in- 
consistencies in the„exchanges between devices after 
a reconnect can be avoided and the reconnect can pro- • 
ceed smoothly. 

- : The two-way authentication system of the present 
invention has been explained using the preceding three 
embodiments, although it should not be construed as 
being limited to such. Some examples of possible mod- 
ifications are listed below. 

1 . While the first embodiment described thatthe encryp- 
tion E^according to the first encryption algorithm was..- 
standardized for DES, the present invent ionUs; not lim- 
ited to such an encryption method. - i : - ' 

Fig. 10 shows an 8 bit data encrypter which is sub- 
stitutive in nature. Here, the 8-bit plaintext X is converted 
into the intermediate data Y by bit substitution unit 301 , 
before the exclusive OR unit 302 performs exclusive OR 
operations for each bit' of intermediate data Y and the - 
key'data K which converts it into the cryptogram Z. As 
one example, when the plaintext X' is- 11110000" and 
the key data is "01010101 the intermediate data Y be- 
comes "01010101 " and the cryptogram Z becomes 
"00000000". ■ ■ 

Complex encrypters of a substitutive nature can be 
produced by setting the combination of the above kinds 
of bit substitution unit and exclusive OR unit as one 
block and connecting a plurality of the same kind of 
blocks in series or in parallel. A decrypter is produced 



.by connecting a bit substitution unit 301 and an exclu- 
sive OR unit 302 in reverse order . 

In the above embodiments, the encryption E 2 ac- 
. ■ cording to the second encryption algorithm and the en- 
5 . cryption E 3 according to the third encryption algorithm 
were described as being substitutive encryption per- 
• formed for 64-bit unit data, although the present inven- 
tion is not limited.to this, kind of .encryption. In fact, pro- 
vided the first encryption algorithm. satisfies the Equa- 
10 , tions 1 and 3 given above, the second and third encryp- 
tion algorithms only need to satisfy Equation 1 . 
2. In the first embodiment, the fundamental procedure 
used by each communication device in authenticating 
the other was the generation of a random number to be 
. 15 ■ sent as challenge data the encryption (or decryption) of 
.. the response data which comes in reply and the com- 
. v . parison of the generated random data with the encrypt- 
ed (decrypted) result, although the present invention is 
not limited to this procedure. 
20 As one example, a random number may be encrypt- 
ed (or decrypted) before being sent to the other device, 
-.. .• . with the response data then being compared to this ran- 
dom number. This. procedure is. equally secure; 
3 In the second embodiment, an identical encryption 
25 module (84, 103) was provided in each of the supplier 
. . device 170 and the user device 190 to increase the se- 
:■; - curity ..of the two-way authentication,; although the 
present invention is not limited to this particular con- 
: . * struction 

30 . i As one example, an encryption module may be pro- 
vided to the user device 190. with a corresponding de- 
*= cryption module being provided to the supplier device 
1.70. By strictly controlling both of these modules, an in- 
... crease in the security of tworway authentication-can be 
• 35 - achieved. . ■ 1 :■ - : 

4. in the third embodiment, the procedure stored before- 
hand in the SCSI controller 210. in the supplier device 
270 was given priority in determining the procedure to 
. . ; , be used aftera reconnect, although the present inven- 
. 40 ..tion need- not be. limited to such, so that, a procedure 
stored in.the user device 290 may be given priority. 
- 5. The; system of the third embodiment, was described 
as.corresponding to the system of the first embodiment 
which has been adapted to SCSI standard, although the 
45 present invention is not limited to this. The system of the 
second embodiment may similarly be adapted to SCSI 
standard. Also, the systems of the second and third em- 
- . . .■ :bodiments may use a different communication protocol 
to SCSI standard, such as a communication protocol 
50 which includes a command phase and a data transfer 
phase. 2. ' . ' ':' 

Although the present invention has been fully de- 
scribed by .way* of examples with reference to the ac- 
: ■ companying drawings, it - is to be noted that various 
55 changes and modifications will be apparent to those 
skilled in the art. Therefore, unless such changes and 
modifications depart from the scope of the present in- 
vention, they should be construed as being included 
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therein. 



Claims 

5 

1. A communication apparatus for performing two-way 
* authentication in challenge response format with 

another communication apparatus on a communi- 
cation channel, the communication apparatus com- 
prising: .10 

first authentication key storage means for stor- 
ing a first authentication key which is only pro- 4. 
vided to authorized communication apparatus- 
es; ■■ is 
first data converting means for performing a da- 
ta conversion determined by the first authenti- 
cation key, wherein the data conversion is sub- 5. 
stitutive. in nature; 

authenticating means (or authenticating- the 20 
other communication apparatus using commu- . 
nication in the challenge response format and 
the data conversion performed by the first data 
converting means; and 

proving mCuriG for proving an authorization of 25 , 
a present communication apparatus using 
communication in the challenge response for- 
mat and the data conversion performed by the ^ ' 
first data converting means. 

30 

2. The communication apparatus.of claim 1. 

wherein the authenticating means includes: 
a challenge data transmitting unit for generat- 
ing a random number and transmitting the ran- -35 
dom number to the other, communication appa- 
ratus as challenge data; and 
a verifying unit for receiving response data from . 
. the other communication' apparatus, for con- 6. 
verting the response data using the first'data *P . 
converting means, for comparing the converted 
response data with the generated random- v 
number and for notifying the other communica- 
tion apparatus of an authentication of the other 
communication apparatus if the converted re- *s ■ 
spohse data coincides with the random 
number, 

wherein the proving means receives the chal- 
lenge data from the other communication ap- ( 
paratus, converts the challenge data using the 50 
- first data converting means and transmits the 
* converted challenge data to the other commu- 
nication, apparatus as response data. 

3. The communication apparatus of claim 2 for per- ss 
forming data transfer after two-way authentication . 
has been achieved, the communication apparatus 
further comprising: . 



shared key obtaining means for obtaining a 
shared key according to a certain procedure if 
both the present communication apparatus and 
the other communication apparatus have been 
authenticated by each other; 
second data converting means for performing 
a data conversion determined by the shared 
key; and 

data transferring means for performing the data 
transfer of the converted data using the second 
data converting means. 

The communication apparatus of claim 3, wherein 
the first authentication key storage means and the 
first data converting means are combined in one in- 
tegrated circuit. 

The communication apparatus of claim 4 : further 
comprising: . 

second authentication key storage means for 
storing a second authentication key which is 
only provided to authorized communication ap- 
paratuses; 

third data converting moans for performing a 
data conversion determined by the second au- 
thentication key, wherein 

the second authentication key storage means 
and the, third data converting means are com- 
bined in one integrated circuit, 
wherein the authenticating means authenti- 
cates; the other communication apparatus us- 
ing the first data converting means and the third 
* data converting means. and the proving means 
. proves an authorization of a present communi- 
cation apparatus using the first data converting 
means and the third data converting means. 

The communication apparatus of claim 4, wherein 
the communication apparatus includes two commu- 
nication states called a command phase and a data 
transfer phase and the communication apparatus 
further comprises: 

authentication controlling means for controlling 
the authenticating means, the proving means, 
and the shared key obtaining means during the 
command phase to have the authenticating 
means authenticate the other communication 
apparatus, to have the proving means prove 
the authorization of the present communication 
apparatus and to have the shared key obtaining 
means obtain the shared key; 
data transfer controlling means for controlling 
the. data transferring means during the data 
transfer phase to have the data transferring 
means transfer the converted data. 
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The communication apparatus of claim 6, wherein 
the communication apparatus includes a discon- 
nect function which is used for temporarily closing 
an established connection to make the communica- 
tion channel available and a reconnect function 
which is used for reopening the temporarily closed *. 
connection, the communication apparatus further 
comprising: 

deciding means for exchanging information 
with the other communication apparatus and 
storing a common procedure before a discon- 
nect is performed for an established connec- 
tion, 

wherein the common procedure includes infor- 
mation as to whether to re-execute an authen- 
tication by the authenticating means, whether . 
to re-execute proving by the proving 'means, ' 
whether to re-execute 1 an obtaining of the 
shared key by Ihe shared key obtaining means, 
and whether to re-execute a data transfer by 
• the data transferring means. - 

A communication system which is made up of a sup- 
plier apparatus that supplies information and a user 
apparatus that uses the information and which per- 
forms two-way authentication in challenge re- . 
sponse format on a communication channel, where- 
in the supplier apparatus' comprises: 

first authentication key storage means for stor- 
ing a' first authentication' key which is only pro- 
vided to authorized supplier apparatuses; 
first encrypting means for performing an en- 
' : cryption determined by the first authentication, 
key, wherein the encryption is substitutive in na- - 
ture and wherein the first encrypting means is 
combined with the first authentication key stor- 
■ age means in one integrated circuit; 
"authenticating means for authenticating the us-.: 
er apparatus; and : - 

proving means for proving an authorization of 
the supplier apparatus using the communica- 
tion in the challenge response format and the 
encryption performed by the first encrypting 
means, 

•and the user apparatus comprises: 
user first authentication key storage means for f 
storing the same first authentication key as the 
first authentication keystorage means in the 
supplier apparatus; * * 
* first decrypting means for performing a decryp- 
tion determined by the first authentication key, 
wherein the decryption is a reverse conversion 
of the encryption performed by the first encrypt- 
ing means in the supplier apparatus and where- 
in the user first authentication key storage 
means and the first decrypting means are com- 



bined in one integrated circuit; 
user authenticating means for authenticating 
the supplier apparatus using communication in 
challenge response format and the decryption 

5 performed by the first decrypting means; and 

user proving means for proving an authoriza- 
tion of the user apparatus using the communi- 
cation in challenge response format and the de- 
cryption performed by; the first . decrypting 

10 means. 

9. The communication system of claim 8, wherein the 
> supplier apparatus further comprises: 

is shared key obtaining means for generating a 

* ■ " random number as a shared key, for encrypting 
... .the . shared key using the first encrypting 
; .. * . means, and for transmitting a cryptogram ob- 
tained from the encryption to the user appara- 
20. ... tus; : • 

• . ; ■ second encrypting means for performing an en- 
cryption determined by the shared key; and 
information transmitting means for encrypting 
information using the second encrypting means 
25, and transmitting the encrypted information to 

■ . - ■ * the user apparatus, only after receiving a noti- 
i fication of authentication from the User appa- 

••■ c: : v . • • ratus,- . : . ' 

wherein the user apparatus further comprises: 
30 user shared key obtaining means for decrypting 

•the cryptogram sent from the supplier appara- 
tus using the first decrypting means if the au- 
. J . . thenticating means has authenticated the sup- 

plier apparatus and for storing a plaintext ob- 
35:, tained from the decryption as the shared key; 

second decrypting means for performing a de- 
cryption determined by the shared key, wherein 
the decryption is a reverse conversion of the 
. ■ ■:> . .. encryption performed by the second encrypting 
40 - <- - means in the supplier apparatus; and 

. . ^ . information receiving means for receiving the 
■ . encrypted information transmitted by the tnfor- 
j ;.■ mation transmitting means of the supplier ap- 
; , paratus and decrypting;the encrypted informa- 
45,. - tion using the second decrypting means. 

10. The communication system of claim 9, 

- ■ .... wherein the supplier apparatus further compris- 

so - ... - es: . . ■ - . ■ - 

second authentication key storage means for 
v. storing a second authentication key which is 

only provided, to supplier apparatuses which 
have been authorized; and 

55. . - j third encrypting means for performing an en- 
cryption determinedly the second authentica- 
tion key, wherein, the third encrypting means 
and the second authentication key storage 
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means are combined in one integrated circuit, 
wherein the authenticating means authenti- 
cates the user apparatus using the first encrypt- 
ing means and the third encrypting means, and 
the proving means proves an authorization of s 
the supplierapparatus using the first encrypting 
means and the third encrypting means, 
and the user apparatus further comprises: 
user second authentication key storage means 
for storing the same second authentication key 10 
as the second authentication key storage 
means in the supplier apparatus; 
user third encrypting means for performing the 
same encryption as the third encrypting means 
in the supplier apparatus, wherein the user third 7 5 
encrypting means and the user second authen- 
tication key storage means are combined in 
one integrated circuit, 

wherein the user authenticating means authen-- » 
licales Ihe supplier apparatus using the firsl de- 20 
crypting means and the user third encrypting, 
means, and the user proving means proves an 
authorization of the user apparatus using the 
first decrypting means and the user third en- 

11. The communication system of claim 9, wherein 

the supplier apparatus includes two communi- 
cation states called a command phase and a 30 
data transfer phase, and further includes a dis- 
connect function which is used for temporarily 
closing an established connection to make the 
communication channel available and a recon- 
nect function which is used for reopening the 35 
temporarily closed connection, 
wherein the supplier apparatus further compris- 
es 

authentication controlling means for controlling 
the authenticating means, the proving means, 40 
and the shared key obtaining means during the 
command phase to have the authenticating 
means authenticate the user apparatus, to 
have the proving means prove the authoriza- 
tion of the supplier communication apparatus <*s 
and to have the shared key obtaining means 
obtain the shared key; 

data transfer controlling means for controlling 
the information transmitting means during the 
data transfer phase to have the information so 
transmitting means perform information trans- 
mission; 

deciding means for exchanging information 
with the user apparatus and storing a common 
procedure before a disconnect is performed for ss 
an established connection, 
wherein the common procedure includes infor- 
mation as to whether to re-execute an authen- 



tication by the authenticating means, whether 
to re-execute proving by the proving means, 
whether to re-execute an obtaining of the 
shared key by the shared key obtaining means, 
and whether to re-execute the information 
transmission by the information transmitting 
means, 

wherein the user apparatus includes two com- 
munication states called a command phase 
and a data transfer phase, and further includes 
the same disconnect function and reconnect 
function as the supplier apparatus, 
wherein the user apparatus further comprises: 
authentication controlling means for controlling 
the authenticating means, the proving means, 
and the shared key obtaining means during the 
command phase to- have the authenticating 
means authenticate the supplier apparatus, to 
have the proving means prove the authoriza- 
tion of the user communication apparatus and 
to have the shared key obtaining means obtain 
the shared key; 

data transfer controlling means for controlling 
the information receiving means during the da- 
ta transfer phase to have thn information m- 
ceiving means perform information reception; 
deciding means for exchanging information 
with the user apparatus and storing a common 
procedure before a disconnect is performed for 
an established connection, 
wherein the common procedure includes infor- 
mation as to whether to re-execute an authen- 
tication by the authenticating means, whether 
to re-execute proving by the proving means, 
whether to re-execute an obtaining of the 
shared key by the shared key obtaining means, 
and whether to re-execute the information re- 
ception by the information transmitting means. 

12. A method for performing two-way authentication 
and distribution of a secret key in a communication 
system 8. A communication system which is made 
up of a supplier apparatus that supplies information 
and a user apparatus that uses the information, the 
method comprising: 

a first step in which the supplier apparatus gen- 
erates a first random number and transmits the 
first random number to the user apparatus; 
a second step in which the user apparatus re- 
ceives the first random number, generates a 
second random number, combines the first ran- 
dom number and the second random number 
into a first cryptogram, decrypts the first cryp- 
togram, and transmits a first plaintext obtained 
from the decryption to the supplier apparatus; 
a third step in which the supplierapparatus re- 
ceives the first plaintext, encrypts the first ptain- 
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text, divides a second cryptogram obtained .. . 
i from the encryption into first data and second ' 
data, the first data corresponding to the first 
random number. and "the second data corre- 
sponding to the second random number, com- ■ 5 
pares the first random number with the first da- 
ta, generates a third random number as the se- 
cret key if the first data coincides with the first 
random number, combines the third random 
number and the second data, encrypts a sec- 10 
ond plaintext which is obtained from combina- 
tion using a same encryption method as when 
encrypting the first plaintext, and transmits to 
the user apparatus a third cryptogram obtained - 
by encrypting the second plaintext; and 15 
a fourth step in which the user apparatus re- 
; ceives the third cryptogram, decrypts the third ■ 
cryptogram using a same decryption method as 
when decrypting the first cryptogram, divides a 
third plaintext obtained by decrypting the third- 20 
cryptogram into third data and fourth data, the 
third data corresponding to the second data - 
and the fourth' data corresponding to the third 
random number, compares the third data with 
the second random number, and, if the third da- 2S 
ta coincides* with the second random number, 
notifies the supplier apparatus of a coincidence 
-of the third data and the second random 
number and holds the fourth data as the secret 
key. ■ ■ . ' * - -30, 
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